Skip to footer

Hacking for the good guys: Chrome cracked at Pwnium contest

Google offered cash prizes this week to hackers who could break its Chrome web browser. Less than 24 hours after the winner brought Chrome down, Google developers had a security fix ready.

|
Torsten Silz/AP/File
Google sponsored the "Pwnium" contest to identify and fix security holes in the Chrome browser. Here, a user mouses over a Google mouse pad at a book fair in Frankfurt, Germany.
  • By Jeff Ward-Bailey

Under normal circumstances, news of a hacker breaching a secure system and pocketing $60,000 would make us shudder and batten down our own online  hatches. But in this case, a Russian teenager's exploit of Google's Chrome browser actually makes us all a little bit safer.

The hack took place during the Google-sponsored Pwnium contest this week, held at the CanSecWest security conference in Vancouver. The contest is designed to allow hackers to identify security holes in Chrome, so that these exploits can be patched before they're used for nefarious purposes. Sergey Glaznov won the top prize by breaching Chrome to gain full control of the test machine, allowing him to execute code remotely.

And true to their reputation for blazing-fast updates, Google developers released an over-the-air patch removing the security threat within 24 hours of the hack.

Chrome's main claim as a secure browser comes from a technique called "sandboxing," which keeps browser code away from the rest of the computer's operating system. In other words, even if a hacker gains access to Chrome, he or she won't (in theory) be able to access the whole computer. But Glaznov was able to chain three separate bugs in Chrome's programming to get around the sandboxing.

This was the first time that Chrome has been hacked publicly, but it wasn't the last: a French security company used a different exploit to bring the browser to its knees at the Pwn2Own competition, a separate hacking contest being held simultaneously at CanSecWest. Google says it hasn't received details about that hack yet, but users can undoubtedly expect another swift Chrome update once developers are able to plug that security hole as well.

Chrome's open-sourced code base is what enables Google developers to patch vulnerabilities and release patches to users so quickly. (A fix for a vulnerability in, say, Microsoft's Internet Explorer would likely have to go through weeks or months of quality-assurance tests before being pushed out to users.)

Now that the holes Glaznov discovered have been plugged, Google will spend some time studying the hack in-depth, to better understand how to prevent similar exploits in the future. The Chrome Release blog notes that details about the hack won't be published until users have a chance to install the patch. Google wants to use Glaznov's hack to help patch other vulnerabilities -- but it doesn't want to give too much information to hackers who have less benevolent motives for wanting to cripple Chrome.

For more tech news, follow us on Twitter @venturenaut. And don’t forget to sign up for the weekly BizTech newsletter.

You've read  of  free articles. Subscribe to continue.
Real news can be honest, hopeful, credible, constructive.
What is the Monitor difference? Tackling the tough headlines – with humanity. Listening to sources – with respect. Seeing the story that others are missing by reporting what so often gets overlooked: the values that connect us. That’s Monitor reporting – news that changes how you see the world.
editor@csmonitor.com
Subscribe
Mark Sappenfield
Editor

Dear Reader,

About a year ago, I happened upon this statement about the Monitor in the Harvard Business Review – under the charming heading of “do things that don’t interest you”:

“Many things that end up” being meaningful, writes social scientist Joseph Grenny, “have come from conference workshops, articles, or online videos that began as a chore and ended with an insight. My work in Kenya, for example, was heavily influenced by a Christian Science Monitor article I had forced myself to read 10 years earlier. Sometimes, we call things ‘boring’ simply because they lie outside the box we are currently in.”

If you were to come up with a punchline to a joke about the Monitor, that would probably be it. We’re seen as being global, fair, insightful, and perhaps a bit too earnest. We’re the bran muffin of journalism.

But you know what? We change lives. And I’m going to argue that we change lives precisely because we force open that too-small box that most human beings think they live in.

The Monitor is a peculiar little publication that’s hard for the world to figure out. We’re run by a church, but we’re not only for church members and we’re not about converting people. We’re known as being fair even as the world becomes as polarized as at any time since the newspaper’s founding in 1908.

We have a mission beyond circulation, we want to bridge divides. We’re about kicking down the door of thought everywhere and saying, “You are bigger and more capable than you realize. And we can prove it.”

If you’re looking for bran muffin journalism, you can subscribe to the Monitor for $15. You’ll get the Monitor Weekly magazine, the Monitor Daily email, and unlimited access to CSMonitor.com.

Subscribe to insightful journalism

QR Code to Hacking for the good guys: Chrome cracked at Pwnium contest
Read this article in
https://www.csmonitor.com/Technology/Horizons/2012/0309/Hacking-for-the-good-guys-Chrome-cracked-at-Pwnium-contest
QR Code to Subscription page
Start your subscription today
https://www.csmonitor.com/subscribe